likewise screws up PAM configuration for other services

Hi Ayecee!

Thanks for your help to improve Ubuntu by reporting this issue!

The difference between version 1.2.3-0ubuntu1 and 1.2.3-0ubuntu2 of lightdm is a fix of bug 952185, so you kind of make me feel a culprit here. ;-) OTOH I can't reproduce the problem; for me /etc/environment is read just fine with lightdm 1.2.3-0ubuntu2.

I wonder ... lightdm 1.2.3-0ubuntu1 seems not to available in the archive any longer. Was it possibly 1.2.1-0ubuntu1 you downgraded to?

I downgraded to 1.2.3-0ubuntu1 on 03/20 according to my dpkg.log, and removed -proposed from my sources as I couldn't see where to report the bug at the time.

When 0ubuntu2 hit -updates, lightdm upgraded again, and _this_ time it looks like I downgraded to 1.2.1-0ubuntu1.

So, it was both :)

Ok, so it seems the problem is related to the 1.2.3-0ubuntu2 fix, after all.

For testing purposes, can you please upgrade again, replace /etc/pam.d/lightdm with the attached file, and let us know if that makes a difference.

That does seem to fix the path, both for regular users and for root via sudo.

Locale still isn't set though. I forgot to mention this in the first report. Though /etc/default/locale contains LANG="en_CA.UTF-8", this isn't reflected in "locale" output. This is another problem that downgrading resolved.

Ok, thanks.

What you say about the locale indicates that your home directory is encryptfs protected, and that you have a ~/.pam_environment file that overrides /etc/default/locale. In that case it's just as it should be. In other words: it was wrong before on encrypted HOMEs and right now.

Since I can't reproduce the $PATH problem, I'm not sure how to proceed with this bug report. With lightdm 1.2.3-0ubuntu2, both /etc/environment and ~/.pam_environment are read later during the login process than before. It seems illogical that $PATH would not preserve its value for that reason. Do you possibly have some special configuration on your machine that might shed some light on the mystery?

With the modified /etc/pam.d/lightdm you have a working fix, at least. I'm inclined to think that we should just keep this bug report open for now, and see if other similar bugs are reported. I'll consult with someone about it.

This is using whole-disk encryption, not using encryptfs. There is no ~/.pam_environment. However, the system has "likewise" installed, a package that allows it to be part of an AD domain, and that probably interacts with pam somehow. That's the only really unusual thing, I think.

Do you have the 0ubuntu1 version of that lightdm file handy? It'd be nice to compare the two and try changing one thing at a time, since I can reproduce it here.

Hmm... This tends to become complicated for a simple contributor as myself. ;-)

Anyway, I attach the 0ubuntu1 version of /etc/pam.d/lightdm. Basically, as you can see when you compare, the change consists of two lines in the beginning that were moved to the end.

Ayecee,

Can you please attach /etc/environment, /etc/default/locale, /etc/pam.d/lightdm, and all of /etc/pam.d/common-* from the system where you're able to reproduce this bug? (So, the confirmed-broken combination of these files, not a version of /etc/pam.d/lightdm from lightdm 1.2.3-0ubuntu1)

It is indeed possible that this is a problem with likewise. If true, I think that's probably a bug in likewise itself, for mishandling the pam stack; but we'll need to see the config files to confirm.

Here's the requested files.

The following lightdm pam file seems to resolve my problem, and hopefully resolves 952185 as well. It's the same as the 0ubuntu1 file, except that it also reads the user environment after session start.

Would this resolve 952185? Any problems this would introduce?

On 2013-04-03 16:26, Ayecee wrote:
> ... It's the same as the 0ubuntu1 file, except that it also reads the
> user environment after session start.
>
> Would this resolve 952185?

Yes, it would. But Steve is the decision maker here. There may be a better way to make everyone happy. ;-)

I had the same problem since the lightdm update but my symptom was more disrupting : my Unity session was switched to english instead of my default setting (french).

Using patch in comment #3 works for me.

I think this bug should get a high priority.

Claude,

Can you please let us know the output of these commands in a terminal window:

  cat /etc/default/locale

  cat ~/.pam_environment

In /etc/pam.d/common-session, the line:

session sufficient pam_lsass.so

... is broken. "sufficient" means that no further modules will be considered, short-circuiting any further modules in the stack.

This is absolutely incompatible with the need to stack pam_env *after* /etc/pam.d/common-session for handling of the ecryptfs $HOME case. The likewise pam-auth-update profile needs to be fixed to not use 'sufficient' here.

Are you using the likewise-open package in Ubuntu, or do you get likewise from a different source?

Gunnar,

Not at my usual workstation right now but from what I remember /etc/default/locale and ~/.pam_environment are the same and looks fine (settings to french language).

Steve's comment is interesting : our setup is with PBIS 7 (the successor of likewise-open) and it was installed with the PowerBroker package. However we are not using ecryptfs.

In /etc/pam.d/common-session, "session sufficient pam_lsass.so" should be replaced by what? optional?

On Thu, Apr 04, 2013 at 01:43:12AM -0000, ClaudeD wrote:
> Steve's comment is interesting : our setup is with PBIS 7 (the successor
> of likewise-open) and it was installed with the PowerBroker package.
> However we are not using ecryptfs.

I understand; the issue is that the structure of these pam files must be
*generic* and work with any PAM modules you might choose to enable,
including either or both of lsass and ecryptfs. However, it doesn't because
the lsass module config is short-circuiting the stack.

> In /etc/pam.d/common-session, "session sufficient pam_lsass.so" should
> be replaced by what? optional?

It should be replaced by [success=ok default=ignore].

My likewise was also from a different source. I don't know if likewise-open does this.

We don't seem to have any reports from likewise-open users, so perhaps it's reasonable to revert to the original 0ubuntu2, close this out, and leave this as a record for other people using third-party likewise packages.

Tested /etc/pam.d/common-session with "session [success=ok default=ignore] pam_lsass.so" against the packaged version of /etc/pam.d/lightdm and it works fine.

I will notify PowerBroker of this bug.

A user let us know at bug 982383 that also likewise-open causes this problem, so I prepared a merge proposal.

@Steve: Even if my likewise MP was merged this morning, I'd appreciate your eyes at it. If it's ok, I suppose that we should do the same in Precise.

On Mon, Apr 08, 2013 at 05:28:09PM -0000, Gunnar Hjalmarsson wrote:
> @Steve: Even if my likewise MP was merged this morning,

Well, it was merged by me, so my eyes have already been on it ;)

> I'd appreciate your eyes at it. If it's ok, I suppose that we should do
> the same in Precise.

Yes, I think this would be a good idea.

On 2013-04-08 19:51, Steve Langasek wrote:
> Well, it was merged by me, so my eyes have already been on it ;)

Aha, wasn't able to figure out. ;-)

This bug was fixed in the package likewise-open - 6.1.0.406-0ubuntu8

---------------
likewise-open (6.1.0.406-0ubuntu8) raring; urgency=low

  * debian/likewise-open.pam-auth-update:
    Don't mess with other services' PAM configuration (LP: #1162836).
 -- Gunnar Hjalmarsson <email address hidden> Fri, 05 Apr 2013 23:33:00 +0200

Status changed to 'Confirmed' because the bug affects multiple users.

I've uploaded to precise. Just waiting on sru approval now. Thanks Gunnar! I'll unsubscribe sponsors now.

Hello Ayecee, or anyone else affected,

Accepted likewise-open into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/likewise-open/6.1.0.406-0ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I installed likewise-open 6.1.0.406-0ubuntu5.1 from precise-proposed, and unlike with 6.1.0.406-0ubuntu5 I no longer see that infringing "sufficient" in /etc/pam.d/common-session.

I'm a little late to the party, but I can confirm that the "sufficient" is gone after installing likewise-open 6.1.0.406-0ubuntu5.1 from precise-proposed. I recently exchanged the third-party likewise packages for likewise-open on my system as well.

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package likewise-open - 6.1.0.406-0ubuntu5.1

---------------
likewise-open (6.1.0.406-0ubuntu5.1) precise-proposed; urgency=low

  * debian/likewise-open.pam-auth-update:
    Don't mess with other services' PAM configuration (LP: #1162836).
 -- Gunnar Hjalmarsson <email address hidden> Mon, 08 Apr 2013 21:21:00 +0200

Claude, was this ever reported to PowerBroker? Because I just ran into this issue today, with the latest release of PBIS Open.

Bart, This is tracked by BeyondTrust as bug 11434, which was closed in May. PBIS Open 8.1 and 8.2 (soon) should both have this fix.

PBIS Open 8.1 is available on the PBIS Repo at http://repo.pbis.beyondtrust.com

Thank you Rob A, but... The link http://repo.pbis.beyondtrust.com/apt/pbiso.list is currently (maybe temporarily?) broken